[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 6d0e3c5a5719ea66a47f1859871808d8b2095fa4

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 6d0e3c5a5719ea66a47f1859871808d8b2095fa4

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 8049 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  6d0e3c5a5719ea66a47f1859871808d8b2095fa4 (commit)
       via  16eb2d5379757076c23b4cdd14a8af595fd9d1bc (commit)
       via  25a3d87645609b3deffdc45a153eb2e2696032f9 (commit)
       via  e79c4372ceb87d3fa91cd440745cb6125c57e23e (commit)
      from  9826ac9bc299360a89c7f3f5bf3df0b9dfc05217 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 6d0e3c5a5719ea66a47f1859871808d8b2095fa4
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Mon Oct 3 21:58:25 2022 +0000

    libseccomp: Bump package version
    
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>

commit 16eb2d5379757076c23b4cdd14a8af595fd9d1bc
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Mon Sep 19 12:35:41 2022 +0000

    linux: Enable seccomp filter on ARM
    
    Since last time we checked, the kernel's security features on ARM have
    improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch
    therefore proposes to give the seccomp filter on both 32- and 64-bit ARM
    another try, since it provides significant security benefit to
    applications using it.
    
    Due to operational constraints, rootfile changes have been omitted, and
    will be conducted, should this patch be approved.
    
    Note to future self: Once this patch is approved, applications using
    seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.
    
    Fixes: #12366
    Fixes: #12370
    Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>

commit 25a3d87645609b3deffdc45a153eb2e2696032f9
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date:   Sun Oct 2 14:47:52 2022 +0000

    linux: Remove user-space probe support
    
    From the kernels' documentation:
    
    > Uprobes is the user-space counterpart to kprobes: they
    > enable instrumentation applications (such as 'perf probe')
    > to establish unintrusive probes in user-space binaries and
    > libraries, by executing handler functions when the probes
    > are hit by user-space applications.
    >
    > ( These probes come in the form of single-byte breakpoints,
    > managed by the kernel and kept transparent to the probed
    > application. )
    
    To the best of the authors' understanding, no application on IPFire
    needs this functionality, and given its abuse potential, we should
    probably not enable it.
    
    As expected, strace functionality is not impaired by this.
    
    Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>

commit e79c4372ceb87d3fa91cd440745cb6125c57e23e
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date:   Thu Sep 29 22:35:18 2022 +0200

    suricata 6.0.8 - suggested change in 'suricata.yaml': set app-layer mqtt: enabled: yes
    
    Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
    Acked-by: Peter Müller <peter.mueller(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/kernel/kernel.config.aarch64-ipfire | 9 ++++-----
 config/kernel/kernel.config.armv6l-ipfire  | 9 ++++-----
 config/kernel/kernel.config.x86_64-ipfire  | 5 +----
 config/suricata/suricata.yaml              | 2 +-
 lfs/libseccomp                             | 2 +-
 5 files changed, 11 insertions(+), 16 deletions(-)

Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 836e2b15f..e2ae8da17 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -645,7 +645,6 @@ CONFIG_CRYPTO_AES_ARM64_BS=m
 # CONFIG_KPROBES is not set
 CONFIG_JUMP_LABEL=y
 CONFIG_STATIC_KEYS_SELFTEST=y
-CONFIG_UPROBES=y
 CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
 CONFIG_HAVE_KPROBES=y
 CONFIG_HAVE_KRETPROBES=y
@@ -681,7 +680,9 @@ CONFIG_HAVE_CMPXCHG_DOUBLE=y
 CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y
 CONFIG_HAVE_ARCH_SECCOMP=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+# CONFIG_SECCOMP_CACHE_DEBUG is not set
 CONFIG_HAVE_ARCH_STACKLEAK=y
 CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR=y
@@ -8154,9 +8155,7 @@ CONFIG_TRACER_SNAPSHOT=y
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
 # CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=y
-CONFIG_DYNAMIC_EVENTS=y
-CONFIG_PROBE_EVENTS=y
+# CONFIG_UPROBE_EVENTS is not set
 CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_PATCHABLE_FUNCTION_ENTRY=y
 # CONFIG_SYNTH_EVENTS is not set
diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire
index ae611fc6f..54260aec1 100644
--- a/config/kernel/kernel.config.armv6l-ipfire
+++ b/config/kernel/kernel.config.armv6l-ipfire
@@ -738,7 +738,6 @@ CONFIG_AS_VFP_VMRS_FPINST=y
 # CONFIG_KPROBES is not set
 CONFIG_JUMP_LABEL=y
 CONFIG_STATIC_KEYS_SELFTEST=y
-CONFIG_UPROBES=y
 CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
 CONFIG_ARCH_USE_BUILTIN_BSWAP=y
 CONFIG_HAVE_KPROBES=y
@@ -765,7 +764,9 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
 CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
 CONFIG_HAVE_ARCH_SECCOMP=y
 CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-# CONFIG_SECCOMP is not set
+CONFIG_SECCOMP=y
+CONFIG_SECCOMP_FILTER=y
+# CONFIG_SECCOMP_CACHE_DEBUG is not set
 CONFIG_HAVE_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR=y
 CONFIG_STACKPROTECTOR_STRONG=y
@@ -8129,9 +8130,7 @@ CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
 # CONFIG_PROFILE_ALL_BRANCHES is not set
 # CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=y
-CONFIG_DYNAMIC_EVENTS=y
-CONFIG_PROBE_EVENTS=y
+# CONFIG_UPROBE_EVENTS is not set
 CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_RECORDMCOUNT=y
 # CONFIG_SYNTH_EVENTS is not set
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index d005f98d4..bb4655a99 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -671,7 +671,6 @@ CONFIG_GENERIC_ENTRY=y
 CONFIG_JUMP_LABEL=y
 CONFIG_STATIC_KEYS_SELFTEST=y
 # CONFIG_STATIC_CALL_SELFTEST is not set
-CONFIG_UPROBES=y
 CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
 CONFIG_ARCH_USE_BUILTIN_BSWAP=y
 CONFIG_USER_RETURN_NOTIFIER=y
@@ -7594,9 +7593,7 @@ CONFIG_TRACER_SNAPSHOT=y
 CONFIG_BRANCH_PROFILE_NONE=y
 # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
 # CONFIG_BLK_DEV_IO_TRACE is not set
-CONFIG_UPROBE_EVENTS=y
-CONFIG_DYNAMIC_EVENTS=y
-CONFIG_PROBE_EVENTS=y
+# CONFIG_UPROBE_EVENTS is not set
 CONFIG_FTRACE_MCOUNT_RECORD=y
 CONFIG_FTRACE_MCOUNT_USE_CC=y
 # CONFIG_SYNTH_EVENTS is not set
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 03a7a83af..fb4f9426b 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -371,7 +371,7 @@ app-layer:
         dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
     # MQTT, disabled by default.
     mqtt:
-      # enabled: no
+      enabled: yes
       # max-msg-length: 1mb
     krb5:
       enabled: yes
diff --git a/lfs/libseccomp b/lfs/libseccomp
index ada345c2f..c00ca3907 100644
--- a/lfs/libseccomp
+++ b/lfs/libseccomp
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = libseccomp
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       =
 


hooks/post-receive
--
IPFire 2.x development tree